Bootstrapping security into a startup can be done in so many different ways. The size of your team, different target markets, and solving your own unique problems are just a few of the differences that would influence your approach. Security is about building layers of protection to help reduce risk and minimise any damage to your success. No one tool or piece of advice will be the security silver bullet, but collectively, a lot of small things can help prevent a future data breach.
One of the first things to happen after Kinde’s seed funding was to think about effective and easy to implement security controls to help provide a solid foundation as we grew from an idea. This eventual strategy would be used to help build awareness as new starters joined and a future path.
The hit list was built based on discussions about founding previous companies, being involved with growing startups, war stories, and best practices sourced online. Some were very tactical, such as performing some hardening of our Google accounts or licensing a password manager, and others were foundational, such as introducing the use of security headers and code scanners as an ongoing engineering effort.
I think the overall goal here was to not get hacked in the first few months while the team was being hired and an initial demo was being built.
In no particular order:
- Google hygiene - Enforce 2FA on all accounts, disable automatic third party API integrations, enable Basic MDM, send security alerts to Slack
- Link everything with Google SSO where possible - Email, communications, knowledge management, code repo, HRIS, etc
- Workstation consistency - Use MacBooks as the only option
- Passwords - License a password manager
- AWS security services - Enable GuardDuty, SecurityHub, Inspector, CloudTrail, VPC flow logging
- AWS security groups - Block inbound public internet unless absolutely necessary
- Password breach notification - Sign up to HaveIBeenPwnd domain notifications
- Security headers - Introduce the usage of security headers and trying to get an A on the security headers scanner
- Certificates - Get all public URLs to use TLS 1.2+ and an A on the SSLLabs scanner
- External vulnerability scanning - Use the free ZAP scanning and then license an affordable commercial tool
- Customer data - Encrypt database at rest and think about very strict access controls
- Code security - Start using tools to scan our source code for common vulnerabilities and third party dependencies
I won’t dig into the why for this list in the hopes that they all sound reasonable.
The next part of our strategy was to look at the risks facing Kinde now that we’ve exited stealth and may start attracting good and bad attention. As inspiration, we used the Cloud Security Alliance’s CAIQ-Lite template to self audit and identify key security controls that were missing. I like this template because it provides a wide breadth of controls related to security and business resilience. It might be a bit overkill if you’re only a founding team without dedicated engineers, but is well worth a browse.
We agreed on a few key risks based on the results and split them into actionable tasks.
- No disaster recovery plans or testing
- No checklists for on-boarding and off-boarding
- No security awareness training
- No endpoint protection or device management
- No penetration test
The hit list got knocked off almost immediately since most of it was fairly trivial to implement. I think a huge help was having a group of founders who were conscious about security.
Some of the self audit tasks are still in progress.
Disaster recovery is being worked on right now while we complete our multi region infrastructure as code.
Checklists for on-boarding and off-boarding were done as soon as we hired our head of people and culture. We now have a detailed checklist when an employee joins along with an amazing onboarding library to get new starters running.
Security awareness training is done as a virtual meeting for all new starters during their onboarding week. This gives me a chance to meet everyone virtually in their first week and tailor the information to their job role and experience.
Since everyone was using laptops, we chose a cloud based next-gen anti-virus tool. Installation verification is done as part of everyone’s security awareness training.
And finally, we’ve just recently completed our first penetration test. The scope was anything and everything related to Kinde. The testers created multiple demo organisations to test our services both as a customer and an end user, targeting things like workflows, privilege escalations, and common OWASP techniques. Additionally we’ve also licensed a cloud based external vulnerability scanner to help keep tabs on our attack surface and public facing URLs.
All of this represents a point in time snapshot of what we wanted to achieve with security as an early stage startup. Now, the focus shifts towards automation and better integration with our internal tools to speed things up and bring more reliability to our processes. We’ve come a long way in a short period of time and we’re all excited about what the future will hold for Kinde.